Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Solution 1 : redirect the portUse iptables to redirect the port 514 to another range, like 10514.The iptable rules are stored in /etc/sysconfig/iptables. It contains the rules which will be loaded during bootup.The reason why the rules disappeared after reboot is that, they were not saved to this file.You need to add the rules using the following commands:

Alternatively, you could also copy the iptables file from/etc/sysconfig from any other working SSIM which already has the rules for syslog redirect.

And setup splunk to listen to this new portmy favorite config for UDP is

[udp://10514]
sourcetype=syslog
connection_host=ip
# do not resolve the hostname, it is usually included in the syslog events
queueSize=1MB
# to add some buffer in case of indexer slow
persistentQueueSize = 5MB
# to add some disk buffer too

Solution 2 : use a syslog server - setup a rsyslog/ syslog-ng server to run as system process, and listen to 514 - have the logs being written to disk, by example a folder per host, with log rotation. - have splunk monitor those folders.

the advantage if this method is that UDP is non resilient and volatile, so the syslog server will act as a file buffer, and if Splunk is restarting it will catch up once up.

For whatever it's worth, in 6.1.1 the same limitation still exists. I was hoping that because 6.1 now starts as root and switches to a named (non-privileged) user during startup that this limitation may have been lifted, but testing shows otherwise.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.